我正在尝试访问需要whoAmI
角色的受保护servlet(xyz
)。
使用密钥斗篷作为openid提供程序,这是我的openid-connect配置
<openidConnectClient id="RP" scope="openid" signatureAlgorithm="RS256"
clientId="liberty" clientSecret="secret"
discoveryEndpointUrl="https://localhost:8243/auth/realms/abc/.well-known/openid-configuration"
userIdentityToCreateSubject="id"
groupIdentifier="groupof"
realmName="abc"
/>
<application type="ear" location="/opt/was-services.ear"></application>
这是我的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<servlet>
<servlet-name>abcServlet</servlet-name>
<servlet-class>com.ABCServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>abcServlet</servlet-name>
<url-pattern>/abc</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/abc</url-pattern>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>test</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>test</description>
<role-name>test</role-name>
</security-role>
</web-app>
耳朵META-INF/ibm-application-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
xmlns="http://websphere.ibm.com/xml/ns/javaee"
version="1.2">
<security-role name="test">
<group name="gpTest"/>
</security-role>
</application-bnd>
访问servlet时,它将我重定向到keycloak登录页面,成功登录后将我重定向到servlet路径,但是给出了错误Error 403: AuthorizationFailed
The user is not granted access to any of the required roles: [test]
自由接受访问令牌并创建了会话,我可以在浏览器中看到WAS_p158005998
cookie。授权申请莫名其妙。不确定如何将密钥斗篷组映射到自由。
accessToken和idToken都包含如下的id和groupof(array)字段。
{
"id": "user1",
"groupof": [
"gpTest",
"gpTest2"
]
}
我需要映射任何注册表吗?还是我的应用程序绑定错误(我尝试使用直接组名gpTest,但没有用)?
在您的application-bnd.xml
文件中,我认为group元素需要一个access-id
属性,如此处所述